A data intensive organization in today's information rich technological environment may transfer upwards of several TBs of traffic per second over its network. In order to ward against forwarding potentially harmful traffic, network device manufacturers have developed certain tools to monitor the ingress and egress of data packets making their way through such devices. Common tools include user configurable port tapping or monitoring. Oftentimes, each active network port is mirrored to one tap port. While such a 1:1 mirroring relationship may be easier to maintain when the flow of network traffic is low, the inefficiency of this particular system is quickly exposed when the flow of network traffic increases. In the case where the amount of ingress traffic at the active ports exceeds the bandwidth of the monitoring ports, one or more data packets may be dropped before they are examined. This is especially troublesome if a threat agent (for example, a computer virus) can only be detected if a protracted series of packets must all be present for the network device to realize that an attack is in progress. In such a case, the inadvertent dropping of one or two critical packets may leave the network vulnerable.
Moreover, even if the amount of traffic arriving at the active ports does not exceed the bandwidth of the monitoring ports, the deployment of a static 1:1 minoring scheme may be inefficient as no monitoring or tap ports would be operating at near line-rate. In addition, most network monitoring solutions do not base their monitoring decisions on historical network traffic data or account for future spikes in network traffic.
Therefore, a networking monitoring solution is needed that can handle the fluctuations of today's unpredictable network traffic by utilizing both historical and real-time knowledge of ingress network traffic patterns and the capacity constraints of all monitoring tools available.